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Abstract 

We consider the problem of diffusing information in networks that contain malicious nodes. We 
assume that each normal node in the network has no knowledge of the network topology other than 
an upper bound on the number of malicious nodes in its neighborhood. We introduce a topological 
property known as r-robustness of a graph, and show that this property provides improved bounds on 
tolerating malicious behavior, in comparison to traditional concepts such as connectivity and minimum 
degree. We use this topological property to analyze the canonical problems of distributed consensus 
and broadcast, and provide sufficient conditions for these operations to succeed. Finally, we provide a 
construction for r-robust graphs and show that the common preferential-attachment model for scale-free 
networks produces a robust graph. 

I. Introduction 

A core question in the study of large networks (both natural and engineered) is: how do the 
actions of a small subset of the population affect the global behavior of the network? For instance, 
the fields of sociology and epidemiology examine the spread of ideas, decisions and diseases 
through populations of people, based on the patterns of contact between the individuals in the 
population [HI, [|2l, O. In this context, one can ask whether a few stubborn individuals (who 
do not change their beliefs) are able to affect the decisions reached by the rest of the population 
BH, [[51. Similarly, the efficacy of engineered networks (such as communication networks, or 
multi-agent systems) is often predicated on their ability to disseminate information throughout 
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the network B, |I71. For example, the 'broadcast' operation is used as a building block for more 
complex functions, allowing certain nodes to inform all other nodes of pertinent information 
Another important operation is that of 'distributed consensus', where every node in the network 
has some information to share with the others, and the entire network must come to an agreement 
on an appropriate function of that information lO, lIH, ifTOl . ifTTI . lfT2l . 

The ability of a few individuals to affect the global behavior of the system is clearly a double- 
edged sword. When the network contains legitimate leaders or experts, it is beneficial to ensure 
that the innovations introduced by these small groups spread throughout the population. On the 
other hand, networks that facilitate diffusion are also vulnerable to disruption by individuals that 
are not acting with the best interests of the society in mind. In engineering applications, these 
individuals could correspond to faulty or malicious nodes that do not follow preprogrammed 
strategies due to malfunctions or attacks, respectively. Thus, a fundamental challenge is to 
identify network properties and diffusion dynamics that allow legitimate information to propagate 
throughout the network, while limiting the effects of illegitimate individuals and actions. 

The problem of transmitting information over networks (and specifically, reaching consensus) 
in the presence of faulty or malicious nodes has been studied extensively over the past several 
decades (e.g., see jHl, ^ and the references therein). It has been shown that if the connectivity of 
the network is 2/ or less for some nonnegative integer /, then / malicious nodes can conspire 
to prevent some of the nodes from correctly receiving the information of other nodes in the 
network. Conversely, when the network connectivity is 2/ + 1 or higher, there are various 
algorithms to allow reliable dissemination of information (under the wireless broadcasting model 
of communication) lfT3l . [[T4l|. However, these methods require that all nodes have full knowledge 
of the network topology, along with the specific parameters of the algorithm applied by all other 
nodes. Furthermore, the computational overhead for these methods is generally quite high [[8]|, 

ini. 

It is not surprising that there is a tradeoff between how much each node knows about the 
overall network and the conditions required for those nodes to overcome malicious adversaries. 
The objective of this paper is to analyze information dissemination strategies in networks with 
adversaries when each normal node only has access to its neighbors' values, and does not 
know anything about the rest of the network (i.e., the topology, number of nodes, location 
and behavior of malicious nodes, etc.); it only knows that the total number of adversaries in 



its own neighborhood is bounded by some known quantity. We introduce the concept of r- 
robust graphs, and show that such graphs provide resilience to malicious nodes. We focus on 
the particular applications of fault-tolerant broadcast and distributed consensus, and similarly to 
ifTSl . we consider a locally bounded fault model where there is an upper bound on the number of 
adversarial nodes in the neighborhood of any reliable node, but there is no other a priori bound 
on the total number of adversaries in the network. In the case of fault-tolerant broadcast, our 
conditions can be applied to show that broadcast will succeed in certain networks that do not 
meet the conditions provided in [15j. For distributed consensus, our conditions provide separate 
sufficient and necessary conditions for all normal nodes to reach consensus while limiting the 
ability of locally-bounded malicious nodes to influence the final value. 

II. System Model 

Consider a network modeled by the directed graph Q = {V,£}, where V = {1, ...,n} is the 
set of nodes and £^ C V x V is the set of edges in the network. An edge (j, i) E £ indicates that 
node i can be influenced by (or receive information from) node j. The set of neighbors of node 
i is defined as Vj = {j \ (j, i) E £} and the degree of Xi is denoted by deg^ =|Vi|. 

Suppose that each node in the network starts out with some private information (an opinion, 
a vote, a measurement, etc.). We will model each piece of information as a real number, and 
denote node z's initial information as Xi[0]. Further suppose that the network is synchronous and 
at each time-step t E N, each node updates its information based on its interactions with its 
neighbors. We will model these updates as 

Xi[t + 1] = fi{{xj[t]}), jEViU{i}, 

where /j(-) can be an arbitrary function (and perhaps different for each node, depending on its 
role in the network). We assume that each /j(-) is specified a priori for each node i in order 
to achieve some pre-specified global objective. However, we also allow for the possibility that 
certain nodes in the network do not follow their prescribed strategy. We will use the following 
definitions in this paper. 

Definition 1: A node i is said to be normal if it applies /j(-) at every time-step t, and it is 
called malicious otherwise. Denote the set of malicious nodes by Ai, and the set of normal 
nodes by A/" = V \ A^. □ 



Note that comparing with the Byzantine fault model |fT6ll . the fauh model considered here 
does not allow the malicious (or normal) nodes to transmit different values at each time step 
(i.e., every pair of nodes will receive the same values from their common neighbors at each 
time step). This assumption is natural in many network realizations (such as wireless networks), 
and the above definition allows the malicious nodes to behave in an arbitrary manner under this 
communication modality. However, we will also show that many of the results in this paper also 
apply to the Byzantine fault model (where a Byzantine mode can send arbitrary and different 
values to different neighbors at each time-step). 

Clearly, there is no hope of achieving any objective if every node in the network is malicious. 
Instead, it is reasonable to consider the resilience of the network to various specific classes of 
malicious nodes. For instance, a common assumption in the literature on fault-tolerant distributed 
algorithms is that the total number of malicious nodes in the network is upper bounded by some 
number / |[8l, lfT3ll . i.e., the f -total malicious model. In very large networks, however, it 
may be the case that the total number of failures or adversaries is quite large. To capture this, 
we will consider in this paper a locally bounded fault model, taken from ifTTl . [[TSl . 

Definition 2 (f -local set): A set 5 C V is f -local if it contains at most / nodes in the 
neighborhood of the other nodes, i.e., |Vj < /, Vz G V \ 5. □ 

Definition 3 (f -local malicious model): A set Ai of malicious nodes is f -locally bounded if 
it is a /-local set. □ 

Note that the /-total malicious model can be regarded as a special case of the /-local malicious 
model. In the rest of the paper, we will focus on two specific algorithms, (i) distributed consensus, 
and (ii) broadcast, and derive topological conditions that guarantee resilience to locally bounded 
adversaries. 

III. Asymptotic Consensus with Locally Bounded Adversaries 

The use of linear iterative strategies for facilitating distributed consensus has attracted signif- 
icant attention in the control community (see ^ and references therein). In such strategies, at 
each time-step t G N, each node communicates with its neighbors and updates its local value as 




where Wij[t] is the weight assigned to node j's value by node i at time-step t. 



Definition 4 (Asymptotic Consensus): The system is said to reach asymptotic consensus if 
\xi[t\ — Xj[t] \ — )■ as t — )■ oo, for all i,j G V. □ 

Various conditions have been provided in the literature that will guarantee that all nodes in 
the network reach asymptotic consensus ifTSl . lfT9l . Il20l . [[TT]|. [[TOll (we will discuss some of 
these results in greater detail later in this paper). It is typical in these existing works to assume 
the following conditions for the weights. 

Assumption 1: There exists a real- valued constant a E (0, 1) such that 

• Wii[t] > a,\/i,t 

. Wij[t\ = if J ^ Vj,V2,j,t 

• Wij[t\ > a if j e Vi,Vz,j,t 

□ 

The lower bound on the weights is imposed to guarantee convergence; there are various 
examples of graphs and updates with no lower bounds for which consensus does not occur [21]. 

Here, we are interested in the case where not all nodes in the network apply the above linear 
iterative strategy. Instead, these malicious nodes can update their values in arbitrary ways to 
prevent or bias the consensus value in the network. We now review some recent results pertaining 
to this scenario. 

A. Previous Results on Resilience of Asymptotic Consensus 

The paper [[TTIl studied the use of linear iterative strategies as a mechanism for achieving 
fiocking behavior in multi-agent systems. They showed that if a 'leader' node in the network 
does not update its value at each time-step (i.e., it maintains a constant value), then the above 
linear iterative strategy (where every other node updates its value to be a convex combination 
of its neighborhood values) will cause all nodes to asymptotically converge to the value of the 
leader. While this may be acceptable behavior when the network has a legitimate leader, it also 
seems to indicate that a simple asymptotic consensus scheme can be easily disrupted by just a 
single malicious node. A similar analysis was done in [|22l|. where it was argued that since the 
asymptotic consensus scheme can be disrupted by a single node that maintains a constant value, 
it can also be disrupted by a single node that updates its values arbitrarily (since maintaining 
a constant value is a special case of arbitrary updates). Both of these works only considered a 



straightforward application of the linear iteration for asymptotic consensus, without having the 
normal nodes perform any operations to avoid the influence of malicious behavior. 

In |fT3l . the authors provided a comprehensive analysis of linear iterative strategies in the 
presence of malicious nodes. They demonstrated that linear iterative strategies are able to achieve 
the minimum bound required to disseminate information reliably; specifically, when a network 
is 2/ + 1 connected, / malicious nodes will be unable to prevent any node from calculating any 
function of the initial values (under the broadcast model of communication). This result was 
extended in [|T4ll to analyze linear iterative strategies for asymptotic consensus in the presence of 
faulty agents (in addition to malicious agents), and ll23l studied the problem of detecting attacks 
in networks of linear continuous-time systems. While these results require minimal connectivity, 
they also require each normal node to have full knowledge of the network topology, along with 
strong computational and storage capabilities. The paper [[24l| considers the problem of reducing 
the influence of external intruders on asymptotic consensus in tree networks. They propose a 
rewiring scheme whereby each node changes its parent node in an effort to slow down the effect 
of externally connected adversaries. While the approach presented in that paper is distributed, it 
only applies to tree topologies and requires that the location and intention of the adversaries to 
be known by the nodes. 

In [[T6ll . the authors introduced the Approximate Byzantine Consensus problem, in which 
the normal nodes are required to achieve approximate agreement (i.e., they should converge 
to a relatively small convex hull contained in their initial values) in the presence of the /- 
total Byzantine faults in finite timeO To solve this problem in complete networks (where there 
is a direct connection between every pair of nodes), they proposed the following algorithm: 
each node disregards the largest and smallest / nodes in the network and updates its state 
to be the average of a carefully chosen subset of the remaining values. They proved that the 
algorithm achieves approximate agreement in synchronous and asynchronous networks if there 
are more than 3/ and 5/ nodes in the network, respectively, and provided a provable convergence 
rate for both networks. The algorithm was extended to be a family of algorithms, named the 
Mean-Subsequence-Reduced or MSR algorithms, in ll25il . Although the research on Approximate 



'if the network is synchronous, and if one allow t oo, then approximate agreement is equivalent to the asymptotic consensus 
problem considered in this paper. 



Byzantine Consensus for complete networks is mature, there are only a few papers that study 
this problem in general network topologies [|26l . ETl . Il28l : furthermore, these works have only 
provided conditions for local convergence (convergence of a subset of nodes) ||26l , ||28l , or for 
global convergence in special network topologies [|27l . 

The recent paper Il29ll proposes a continuous -time variation of the MSR algorithms, named the 
Adversarial Robust Consensus Protocol (ARC-P), to solve asymptotic consensus under the /- 
total malicious model. The authors show that the limit of the state trajectory of each normal node 
exists and in complete networks, the normal nodes asymptotically reach consensus on a value 
that is in the interval formed by their initial states. In [[30l . the authors extend the results from 
ll29l to slightly more general networks and provide sufficient conditions in terms of traditional 
graph metrics, such as the in-degree and out-degree of nodes in the network. However, we will 
show in this paper that these traditional metrics (such as degree and connectivity) studied in [[8]|, 
lfT3l . [|29ll . Il30ll are no longer the key factors that determine the efficacy of algorithms that make 
purely local filtering decisions. Instead, we develop a novel topological condition for general 
networks, termed r-robustness, which we show to be much more fundamental in characterizing 
the behavior of algorithms such as MSR (including ARC-P) and fault-tolerant broadcast. 

B. Description of the Algorithm 

We consider the network Q = {V, S}, where at each time-step, each node i receives the values 
of the nodes in Vj. Node i does not know which, if any, nodes in its neighborhood are malicious; 
it only knows that there are at most / malicious nodes. In order to limit the influence of any 
malicious nodes, each normal node disregards the most extreme values from its neighborhood at 
each time-step, and uses the remaining values in its linear update. More formally, we extend the 
MSR algorithm to be the Weighted-Mean-Subsequence-Reduced (W-MSR) algorithm as follows. 

1) At each time-step t, each normal node i receives values from all of its neighbors, and 
ranks them from largest to smallest. 

2) If there are / or more values larger than Xi[t], normal node i removes the / largest values. 
If there are fewer than / values larger than Xi[t], normal node i removes all of these larger 
values. This same logic is applied to the smallest values in normal node z's neighborhood. 
Let TZi[t] denote the set of nodes whose values were removed by normal node i at time-step 
t. 



3) Each normal node i updates its value as 



Xi[t + 1] = Wii[t]Xi[t] + ^ Wij [t] Xj [t] , 

jeVi\Tii[t] 



(1) 



where the weights Walt] and Wij[t] satisfy Assumption [H 

Remark 1: Note that the algorithm is the same in time- varying networks, except that Vj is 
a function of t. Furthermore, note that the above algorithm essentially falls within the class 
of MSR algorithms, with the following generalizations. First, we allow arbitrary time- varying 
weights on the edges at each time-step, subject to the constraints listed in Assumption [T] Note 
that [31] also proposed an extension of the MSR algorithm which allows convex time-invariant 
weights. Second, we allow a node to throw away fewer than 2/ values if its own value falls 
within the extreme range, thereby allowing it to take full advantage of the available information. 
Moreover, we will analyze this algorithm in arbitrary graph topologies (not only fully-connected 
ones). □ 

We call the largest number of values that each node could throw away the parameter of the 
algorithm (it is equal to 2/ in the above algorithm). Note that the set of nodes disregarded by 
node i can change over time, depending on their relative values. Thus, even the network topology 
itself is fixed, the algorithm effectively mimics a time-varying network. In other words, one can 
view this as a consensus algorithm with state-dependent switching. 

Remark 2: Consensus algorithms with state-dependent switching have drawn increased atten- 
tion in recent years ll32ll . Il33l . For example, the following model was introduced in ll32ll to 
capture opinion dynamics in networks: 



The constraint \xi\t\ —Xj\t] \ < 1 represents 'bounded confidence' among these nodes: an agent 
considers one of its neighbors' opinions as reasonable and accepts it if their opinions differ by 
less than 1. There are various differences in the analysis in these previous works in comparison 
with this paper. First, the above updating scheme assumes that the underlying graph is complete, 
so that each node sees all other nodes and selects only those whose values are close to its own. 
Second, there exists a fixed threshold (1 in the above scheme) to represent 'bounded confidence', 
and this might cause the agents to converge to different clusters for certain choices of initial states 
[|33l . Most importantly, these previous works on state-dependent connectivity do not consider 



Xi[t + l] 



Ej:|x,[i]-x,-[t]l<l^jM 



\{j:\x,[t\-x^[t]\<l}\- 



the presence of malicious nodes; we posit that the fixed threshold in the update rule still allows a 
malicious node to draw all of the other nodes to any desired consensus value, simply by waiting 
until all node values have converged sufficiently close together, and then slowly inducing drift 
by keeping its value near the edge of the fixed threshold. The algorithm considered in this paper, 
on the other hand, applies to general topologies and inherently limits the amount of bias than 
can be introduced by any /-local set of malicious nodes. □ 
Note that the W-MSR algorithm is efficient, scalable and fully distributed. The algorithm 
needs very limited computation and storage, which is especially important in resource limited 
networks. Furthermore, no node needs to know the topology of the network; the only requirement 
is that each normal node knows (or assumes) an upper bound of / for the maximum number 
of malicious nodes in its neighborhood. Due to this simplicity, it is perhaps unreasonable to 
expect that this algorithm will be able to completely eliminate the effects of all malicious nodes. 
Instead, as in ll29l . we will seek to ensure that the algorithm is /-local safe, which we define 
below. 

Definition 5 (f -local safe): Given the network Q, let Ai be the set of malicious nodes (sat- 
isfying the /-local property) and J\f be the set of normal nodes. The W-MSR algorithm is said 
to be f -local safe if all normal nodes asymptotically reach consensus for any choice of initial 
values, and the consensus value is in the range [m;v'[0], M^[0]], where M^[0] and m^[0] denote 
the largest and smallest initial values of the normal nodes, respectively. □ 

Note that the above definition does not say that the malicious nodes will have no influence on 
the final consensus value. It only says that a /-local set of malicious nodes should not be able 
to bias the consensus value to be something outside the range of normal initial values. There are 
various practical applications where this is useful. For instance, consider a large sensor network 
where every sensor takes a measurement of its environment, captured as a real number. Suppose 
that at the time of measurement, all values taken by correct sensors fall within a range [a,b], 
and that all sensors are required to come to an agreement on a common measurement value. If 
the range of measurements taken by the normal sensors is relatively small, it will likely be the 
case that reaching agreement on a value within that range will form a reasonable estimate of the 
measurements taken by all sensors. However, if a set of malicious nodes is capable of biasing 
the consensus value to be outside this range, the functioning of the network could be severely 
disrupted. 



Remark 3: Note that our concept of /-local safe holds even if a /-local set of malicious nodes 
change their initial values; no matter what these malicious nodes change their value to be, if 
the algorithm achieves consensus, it will be on a value that is in the range of the initial values 
of the normal nodes. □ 



C. Analysis of the Algorithm 

Denote the maximum and minimum values of a set S of nodes at time step t as Ms\t\ and 
m5[t], respectively, i.e., Ms\t] = max{xi[t] \ i E S} and ms[t] = mm{xi[t] \ i E S}. Further 
denote ^[t] = M_\f[t] — mj^[t]. Note that — )• as t — )■ oo if and only if the normal nodes 
reach asymptotic consensus. 

Lemma 1: Under the /-local malicious model, if the normal nodes reach consensus, the W- 
MSR algorithm is /-local safe. 

Proof: At each time-step t eN, after receiving values from its neighbors, each normal node 
throws away at most / largest and / smallest values. Since there are at most / malicious nodes in 
the neighborhood of any normal node, the remaining values must be in the range [m^[t], Afv-[t]]; 
if all of the malicious nodes were removed, then only the normal nodes are left, and if some 
malicious nodes' values are adopted, then the malicious nodes must have had values inside the 
range of the normal values. Since the update ([T]) is a convex combination of these values, we 
have Xi[t + I] E [m^lt], Mj^[t\] for all t (showing that mj^[t] is nondecreasing and Mj^[t] is 
non-increasing). If all normal nodes reach consensus, it must be that — )■ 0, indicating that 
x[t] — )■ mj^[t] (or Mj^[t]), and thus the result follows by virtue of the fact that these quantities 
are mono tonic. ■ 

The task now is to provide conditions under which the normal nodes reach consensus, despite 
the (arbitrary) actions of the malicious nodes. Recall that when there are up to / malicious nodes 
in the entire network, and each normal node knows the entire network topology (along with the 
weights used by all other nodes), a network connectivity of 2/ + 1 is necessary and sufficient to 
overcome the malicious nodes [[T3l . The first question that comes to mind is thus: what does the 
connectivity of the network have to say about the ability of the algorithm to facilitate consensus? 
Unfortunately, the following result shows that there exist graphs with large connectivity, but that 
fail to reach consensus under this algorithm. 



Proposition 1: There exists a network with connectivity k = [f J + / — 1 that cannot achieve 
asymptotic consensus using the W-MSR algorithm with parameter 2/. 

Proof: Construct an undirected graph as follows. Take two fully-connected graphs of [|J and 
[|] nodes, respectively, and call these sets A and B. Number nodes in A and B as ai, a2, . . . , a^^j 
and 6i, • • • ) &rf]> respectively. When n is even (singular), for any node cii E A, if i < 
— / + 1 (\B\ — / + 2), connect with nodes 6j, . . . , otherwise, connect with 

nodes hi, ... , and nodes 61, ... , Form similar connections for nodes in B. Then 

each node in A has exactly / neighbors in B, each node in B has at most / neighbors in set A. 

Next we will prove that the connectivity of this graph is LfJ+/~l- Let C = {C^,Cb} 
be a vertex cut, where C_a = C D A and = C D B. Without loss of generality, assume 
that C_A = {fli, • • • 5 fl|c^|}; other ways of choosing are equivalent to this situation by 
renumbering the nodes. By the definition of a vertex cut, we know \C_a\ > /; otherwise, each 
node in B\Ct3 still has at least one neighbor in A, and since A\C_a and B\Cb each induce 
fully-connected subgraphs, we see that the graph will be connected (contradicting the fact that C 
is a vertex cut). When / < < Lf J ' the remaining nodes of A still have k = [|J — +/ — 1 
neighbors in B, which implies we need to remove at least k nodes from B to disconnect the 
graph. When = A, since B is complete, we know \Cq\ = [|] — 1. Thus the connectivity of 
this graph is [fj + / ~ 1- 

In this graph, assume that all nodes in A have initial value ci, and all nodes in B have initial 
value C2, where Ci < C2. When any node a/ applies the W-MSR algorithm, all of its / neighbors 
in B have the highest values in a^'s neighborhood, and thus they are all disregarded. Similarly, 
all of 6j's neighbors in A are all disregarded as well. Thus, each node in each set only uses the 
values from its own set, and no node ever changes its value, which shows that consensus will 
never be reached in this network. ■ 

Note that the above network also has minimum degree L|J + / — 1. Thus, even networks 
with a large degree or connectivity are not sufficient to guarantee that the normal nodes will 
reach consensus, indicating that these metrics are not particularly useful on their own to analyze 
the performance of this algorithm. In the next section, we define a topological notion that we 
term robustness, and show that this notion more readily characterizes the situations where the 
algorithm is /-local safe. 



IV. Robust Graphs 

Taking a closer look at the graph constructed in Proposition [H we see that the reason for 
the failure of consensus in this case is that no node has enough neighbors in the opposite set; 
this causes each node to throw away all useful information from the opposite set, and prevents 
consensus. Based on this intuition, we define the following property of a set of nodes, which we 
will show to be key to characterizing the behavior of local filtering algorithms such as W-MSR. 

Definition 6 (r-reachable set): For a graph Q and a subset S of nodes of Q, we say S is an 
r-reachable set if 3z G 5 such that \Vi \ S\> r, where r G N+. □ 

In words, a set S is r-reachable if it contains a node that has at least r neighbors outside. 
The following lemma follows directly from the definition of an r-reachable set. 

Lemma 2: Consider a graph Q = {V,S}, and suppose that 5 C V is an r-reachable set of 
nodes. Then, 

. 5 is r'-reachable for any r satisfying 1< r' < r. 

• If we remove up to K incoming edges of each node i E V, where K < r, then S is 
(r — ii')-reachable. 

Definition 7 (r-robust graph): A graph Q is r-robust if for every pair of nonempty, disjoint 
subsets of V, at least one of the subsets is r-reachable. □ 

Based on these definitions, we obtain the following properties of r-robust graphs. 

Lemma 3: For an r-robust graph Q, let Q' be the graph produced by removing up to K 
incoming edges of each node in Q (K < r). Then Q' is (r — J'r)-robust. 

Proof: First note that the minimum degree of an r-robust graph must be at least r; otherwise, 
if there is a node i with degree less than r, then by taking the two subsets {i} and V \ {i}, 
we see that neither subset would have a node with r neighbors outside. Thus, it is possible to 
remove K incoming edges from every node. We can now apply the second property in Lemma [2] 
to obtain the desired result. ■ 

Lemma 4: If Q is r-robust for some r > 1, then it has a spanning tree. 

Proof: It is sufficient to show that a 1 -robust graph has a spanning tree. Consider the 1 -robust 
graph Q. We will prove that this graph has a spanning tree by contradiction: assume that Q does 
not have a spanning tree. Decompose the graph into its strongly connected components, and note 
that since the graph does not have a spanning tree, there must be at least two components that 



have no incoming edges from any other components. However, this contradicts the assumption 
that Q is 1-robust (at least one of the two subsets must have a neighbor outside the set), so it 
must be true that there exists a spanning tree. ■ 
When r = 1, the above proof is a more direct version of the proof of Theorem 5 in ll20l . 

A. Consensus With Locally Bounded Faults 

In this subsection, we will explore sufficient and necessary conditions under which the algo- 
rithm is /-local safe. We first define some notation. 

Denote the set of normal nodes with maximum and minimum values at time step t as S^^^ \t\ 
and Stn[tl respectively, i.e. S^,M = {i \ x.i\t] = M^[t],z G M} and StAA = I = 
nif^[t\,i e Af}. 

Definition 8: For a network Q, define the normal network of Q, denoted by Q_^J■, as the network 
induced by the normal nodes, i.e., Qj\f = {J\f,Sj^}, where Sj\f is the set of edges among the 
normal nodes. □ 

The following lemma provides a key sufficient condition for the normal nodes to reach 
consensus. 

Lemma 5: Under the /-local malicious model, the W-MSR algorithm with parameter 2/ is 
/-local safe if the normal network Q_^f of the network is (/ + l)-robust. 

The proof of this result is given in the Appendix. With the above Lemma in hand, we are now 
in place to provide a condition on the original network Q that will guarantee that the algorithm 
is /-local safe. 

Theorem 1: Under the /-local malicious model, the W-MSR algorithm with parameter 2/ is 
/-local safe if the network Q is (2/ + 1) -robust. □ 
Proof: By the definition of the normal network, Qf^ is obtained by removing up to / 
incoming edges from each normal node in Q. By Lemma |3l if Q is (2/ + l)-robust, then ^^v^ is 
(/ + l)-robust. Finally, by Lemma [51 we get the result. ■ 

The following proposition shows that the (2/ + 1) -robust condition is tight. 

Proposition 2: For every / > 0, there exists a 2/-robust network which fails to reach 
consensus using the W-MSR algorithm with parameter 2/. 

Proof: We will prove the result by giving a construction of such a graph, visualized in 
Figure [B In Figure [H Si, S2 and are all complete components with \Si\ = 2/, \S2\ = 



and I1S3I = 2/. Each node in Si connects to 2/ nodes of S2 and each node in S3 connects to 
the other 2/ nodes of ^2, and all these connections are undirected. Node a has incoming edges 
from all nodes in Si and similarly node b has incoming edges from all nodes in S3. This is an 
example of a graph that arises from the construction that we derive in Section |Vll where we 
show that such a graph will be 2/ robust. We choose / nodes of Si and also / nodes of ^3 to 
be malicious; note that this constitutes an /-local set of malicious nodes. Then we assign node a 
with initial value m, node b with initial value M and the other normal nodes with initial values 
c, such that m < c < M. Malicious nodes in Si and S3 will keep their values unchanged at m 
and M, respectively. We can see that, by using the W-MSR algorithm, the values of nodes a 
and b will never change and thus consensus can not be reached, completing the proof. ■ 



Fig. 1. Illustration of Proposition 12] 

While the above discussions have been for an underlying time-invariant network Q, it is rela- 
tively straightforward (albeit notationally tedious) to extend the results to time- varying networks 
as follows. 

Corollary 1: Let Q[t] = {V,£[t]} be a time- varying network with node set V and edge set 
at time-step t given by £[t]. Let {tk} be the set of time-steps when Q[t] is (2/ + l)-robust. 
Under the /-local malicious model, the W-MSR algorithm with parameter 2/ is /-local safe if 
\{tk}\ = 00 and \tk+i — tfel < c, VA;, where c G N+ is some constant. 

The proof is similar to Theorem [H and we omit it here. 

Finally, the following result provides a necessary condition for the W-MSR algorithm to be 
/-local safe. 

Theorem 2: Under the /-local malicious model, the necessary condition for the W-MSR 
algorithm with parameter 2/ to be /-local safe is that the network ^ is (/ + l)-robust. □ 
Proof: If the network is not (/ + l)-robust, there exist two disjoint subsets of nodes that 
are not (/ + l)-reachable, i.e., each node in these two sets would have at most / neighbors 




outside the set. If we assign the maximum and minimum values in the network to these two 
sets, respectively, the nodes in these sets would never use any values from outside their own 
sets. Thus, their values would remain unchanged, and consensus will not be reached. ■ 
Note that the network constructed in Proposition [T] is only /-robust (but not (/ + l)-robust), 
since no nodes in sets A or B have / + 1 neighbors outside those sets. Furthermore, it is of 
interest to note that the derivations of Theorem [B Corollary \T\ and Theorem [2] did not rely on 
the fact that malicious nodes send the same value to all their neighbors. Thus, these results also 
apply to the /-local Byzantine model of adversaries. 

V. Broadcasting with Locally Bounded Adversaries 

Having characterized the behavior of the consensus algorithm in terms of the r-robust property 
of graphs, we now turn our attention to another important objective in networks: broadcasting 
a single value throughout the network. We focus on the following problem, studied in ifTTl . 
[fTSl . Consider a time-invariant communication network Q = {V,£}, with a specially designated 
source node s E V. The source has a value Xs[0] that it wishes to broadcast to every other 
node in the network. However, there may be various malicious nodes scattered throughout the 
network that wish to prevent certain nodes from obtaining the correct value of the source. The 
authors consider the set of malicious nodes to be /-locally bounded. To achieve broadcast (i.e., 
all normal nodes receive the source's message), [|T7l proposes the following so-called Certified 
Propagation Algorithm (CPA). 

1) At time-step 0, the source broadcasts its value to all of its neighbors, and maintains its 
value for all subsequent time- steps. 

2) At time-step 1, all normal neighbors of the source receive the source's value and broadcast 
it to all of their neighbors. The normal neighbors of the source maintain this value for all 
subsequent time-steps. 

3) At each time-step t, if a normal node has received an identical value from / + 1 neighbors, 
then it accepts that value and broadcasts it to all of its neighbors. This normal node keeps 
this value for all subsequent time-steps. 

Due to the assumption of /-locally bounded malicious nodes, it is easy to see that a normal 
node will only ever accept a value if it is the actual value broadcast by the source. For CPA, the 



following result from IfTSl provides a sufficient condition for all normal nodes in the network to 
eventually accept the value broadcast by the source. 

Theorem 3 (KT5^): For a graph Q = {V, 8} and nodes v, s E V, let X{v, s) denotes the number 
of nodes that are in v's neighborhood and are closer to s than v. Let X{Q) = mm{X{v, s)\v, s E 
V, (^^ s) ^ S}. Then CPA succeeds if X{g) > 2f. □ 

This is only a sufficient condition; we will now provide a different sufficient condition for CPA 
to succeed, in terms of the robust-graph property that we have defined. We will first introduce 
a variation of the concept of an r-robust graph. 

Definition 9 (strongly r-robust graph): For a positive integer r, graph Q = {V,S} is strongly 
r-robust if for any nonempty subset S CV, either S is r-reachable or there exists a node i E S 
such that V\S CVi. □ 

Note that the difference between a strongly r-robust graph and the standard r-robust graph 
is that the former requires every subset of nodes to be either r-reachable, or have a node that 
connects to every node outside the set, whereas the latter only requires that one of any two sets 
satisfies the property of being r-reachable. Any strongly r-robust graph is r-robust, but not vice 
versa. 

Theorem 4: Under the /-local malicious model, CPA succeeds for any source if the network 
is strongly (2/ + l)-robust. □ 
Proof: All normal neighbors of the source receive the message directly, and thus they all 
accept it. We will use contradiction to prove that all other nodes receive the broadcast message. 
Suppose that CPA fails to deliver the message to all normal nodes, and let S denote the set of 
all such normal nodes. By the definition of a strongly (2/ + l)-robust graph, we know that some 
node i in S must have 2/ + 1 neighbors outside S or connects to all nodes outside. For the former 
situation, at most / of these nodes can be malicious, and all other nodes are normal nodes that 
have received the message and re-broadcasted it; for the latter, this node would directly connect 
to the source and thus get the message. In either case, this contradicts the assumption that node 
i would fail to get the message, and thus the algorithm achieves broadcast. ■ 

Note that if the condition of either Theorem [3] or Theorem H] is satisfied, CPA will also succeed 
under the /-local Byzantine model. Finally, the following Proposition shows that CPA succeeds 
in certain networks which do not satisfy the condition proposed in Theorem [3l 

Proposition 3: For some /, there exist graphs with X(Q) < 2/ but that are strongly (2/ + 1)- 



robust. 

Proof: For / = 1, construct an undirected graph Q as follows. Start with a fully-connected 
graph of five nodes, denoted as 1, 2, . . . , 5 in turns. Add two nodes 6 and 7 and connect them 
to nodes 2, 3, 4 and 3, 4, 5 respectively. Finally, add a node 8 and connect it to nodes 3, 4, 6, 7. 
If we take node 1 as the source, it's easy to check that in the neighborhood of node 8, there 
are only two nodes that are closer to the source. Thus X{Q) < 2/ here, but the graph is still 
strongly (2/ + l)-robust, and CPA will succeed. ■ 

VI. Constructing an t-robust Graph 

Note that the concept of an r-robust graph requires that every possible subset of nodes in the 
graph satisfies the property of being r-reachable. Currently, we do not have a computationally 
efficient method to check whether this property holds for an arbitrary graph. In this section, 
however, we describe how to construct r-robust graphs, and show that our construction contains 
the preferential-attachment model of scale-free networks as a special case Il34l . 

Theorem 5: Let Q = {V,£} be an r-robust graph. Then graph Q' = {{V.Vnew}, {^i^new}}, 
where Vnew is a new vertex added to Q and Snew is the edge set related to Vnew, is r-robust if 
deg,, > r. □ 
Proof: When we take a pair of nonempty, disjoint subsets of nodes from Q' , there are two 
cases. If one of the subsets contains only Vnew, then this subset is r-reachable (since Vnew has r 
neighbors in Q'). If both of the subsets contain nodes from the original graph Q, then at least one 
of the two sets is r-reachable, because these two sets (minus Vnew) exist in the original r-robust 
graph Q, and thus one of the sets has a node that has at least r neighbors outside. Thus, Q' is 
r-robust. ■ 

The above theorem indicates that to build an r-robust graph with n nodes (where n > r), 
we can start with an r-robust graph of order less than n (such as some complete graph), and 
continually add new nodes with incoming edges from at least r nodes in the existing graph. The 
theorem does not specify which existing nodes should be chosen as neighbors. A particularly 
interesting case is when the nodes are selected with a probability proportional to the number of 
edges that they already have; this is known as preferential-attachment, and leads to the formation 
of so-called scale-free networks [[34l . This mechanism is cited as a plausible mechanism for 
the formation of many real-world complex networks, and thus our analysis indicates that these 



networks will also be resilient to locally-bounded malicious nodes (provided that r is sufficiently 
large when the network is forming). 

VII. Conclusion and Discussion 

We have studied the problem of disseminating information in networks that contain malicious 
nodes, and where each normal node has no knowledge of the global topology of the network. 
We showed that the classical notions of connectivity and minimum degree are not particularly 
useful in characterizing the behavior of a class of algorithms that relies on purely local filtering 
rules. We then introduced the notion of an r-robust graph, and showed that this concept allows 
us to provide conditions for achieving the objectives of distributed consensus and fault-tolerant 
broadcast, without requiring any knowledge of the graph topology on the part of the nodes in 
the network. 

For distributed consensus, variations and extensions of the approach used in this paper have 
recently appeared in ll35l (for the /-total model of malicious, but non-Byzantine, behavior), and 
in [|36l (for the /-total model of Byzantine behavior). The sufficient and necessary conditions 
proposed in ll36l for the MSR algorithms to achieve consensus also apply for the /-local 
Byzantine model; however, the proof of the necessary condition in [[36l does not apply for 
the /-local malicious model (which is the scenario considered in this paper), and thus obtaining 
a single necessary and sufficient condition for consensus under this model is an open problem. It 
is also of interest to note that the notion of an r-reachable set is similar to the notion of 'clusters', 
which are topological structures identified in Q as being impediments to information cascades 
in networks. While the topic of information cascades is closely tied to the problems that we 
consider in this paper, the presence of malicious nodes in our setup significantly complicates the 
analysis. Nevertheless, a closer connection to the results in those works is the subject of ongoing 
research. Finally, it will be of interest to relate the r-robust property defined in this paper to 
other recent characterizations of network topologies that facilitate fault-tolerant broadcast [|37l . 
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Appendix 

Lemma \5\ Recall that M is the set of normal nodes, and define N = \J\f\. Let aj\/[t] and 
am[t] denote the maximum and minimum value of the normal nodes at time-step t, respectively. 
From Lemma [H we know that both a^i [t] and a™ [t] are monotone and bounded functions of 
t and thus each of them has some limit, denoted by Am and Am, respectively. Note that if 
Am = Arn, the normal nodes will reach consensus. We will now prove by contradiction that this 
must be the case. 

Suppose that Am 7^ Am (note that Am > Am by definition). We can then define some constant 
eo > such that Am — eo > + eo- At any time-step t and for any positive real number e^, let 
^Aiit, Cj) denote the set of all normal nodes that have values in the range (A^/ — Ci, Am + Gi), and 
let Xm{t, ei) denote the set of all normal nodes that have values in the range {Am — £i, Am + Ci). 
Note that eo) and Xmit,eo) are disjoint, by the definition of eo. 

For some e (which we will show how to choose later) satisfying eo > e > 0, let be such that 
aA/[t] < Am + e and am[t] > Am — e, Vt > (we know that such a exists by the definition 
of convergence). Consider the disjoint sets XM{te,eo) and Xm{te,eo)- At least one of these two 
sets must be (/ + l)-reachable in due to the assumption of (/ + 1) -robustness. If A'jv/(te, eo) 
is (/ + l)-reachable, there exists some node G A'jv/(te,eo) that has at least / + 1 normal 
neighbors outside XMit^,eo). By definition, all of these neighbors have values at most equal to 
Am — ^0, and at least one of these values will be used by Xi (since Xj removes at most / values 
lower than its own value). Note that at each time step, every normal node's value is a convex 
combination of its own value and the values it uses from its neighbors, and each coefficient in 
the combination is lower bounded by a. Since the largest value that Xj will use at time-step 

is aM[te], placing the largest possible weight on aM[te\ initiates the following sequence of 
inequalities. 

Xi[te + !]<(!- a)aM[te\ + a{AM - eo) 

< (1 - a){AM + e) + a{AM - Cq) 

< Am - aeo + (1 - a)e. 

Note that this upper bound also applies to the updated value of any normal node that is not in 
A:'M(te,eo), because such a node will use its own value in its update. Similarly, if A:'m(te,eo) is 



(/ + l)-reachable, there exists some node Xj G Xmit^^eo) that will satisfy 

Xj\t^ + 1] > Am + aeo - (1 - a)e- 
Again, any normal node that is not in Xm{t^, eo) will have the same lower bound. Define 

ei = aeo — (1 — 

and consider the sets XM{te + 1, ei) and Xra{te + 1, ei). Since at least one of the sets XM{te-, eo) 
and A:'m(te,eo) was (/ + l)-reachable, it must be that either \XM{tt + l,ei)| < I'Va/ (^e, eo)| or 
\X„i{t^ + l,ei)| < eo)|, or both. Further note that ei < eo, and thus Xuite + and 

'^m(ie + 1; ei) ^rc Still disjoint. 

We can repeat this analysis for time-steps + j, j > 2, to define sets X][j{t^ + j, e^) and 
'^m(^e+ CjOj where ej is defined recursively as ej = aej_i — (1 — a)e. Furthermore, at time-step 
t,+j, either \XM{te+j,ej)\ < jA'^lt, + j - 1, ej_i)| or \Xm{te + j,ej)\ < \X,n{te + j 
or both. Since \XM{t^,eo)\ + \Xjn{t^,eo)\ < N, there must be some time-step + T (where 
T < N) where either X^ite + T, e-r) or Xm{te + T, e^) is empty. In the former case, all nodes 
in the network at time-step + T have value less than Am — £t, and in the latter case all 
nodes in the network at time- step + T have value greater than Am. + e^. We will show that 
e^ > 0, which will contradict the fact that the largest value monotonically converges to Am (in 
the former case) or that the smallest value monotonically converges to Am (in the latter case). 
To do this, note that 

eT = aer-i — (1 — «)e 

= a'^eT-2 — — ~ (1 ~ Q^)e 

= Q!"^eo — (1 — Oi){l + a -|- • • • -|- a''~^)e 
= a eo — (1 — a )e 
> a^eo - (1 - a'')e. 

N 

If we choose e < jr^eo, we obtain e^ > 0, providing the desired contradiction. It must thus 
be the case that eo = 0, proving that Am = Am- ■ 
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